| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
By default, the current KCSAN .config does not enable KCSAN during boot,
since we encounter races during boot which would prevent syzkaller from
ever executing.
This adds support to detect if KCSAN is available, and enables it on the
fuzzer host.
|
| |
|
|
| |
Update #533
|
| |
|
|
|
|
| |
It was reported that binder isn't covered when using syzkaller on a real
Android device, since the binder device names are different. Update the
descriptions to know about the real-world device names too.
|
| | |
|
| |
|
|
| |
Looks like opening hiddev can take up to ~100 ms.
|
| | |
|
| | |
|
| |
|
|
| |
Signed-off-by: Paul Chaignon <paul.chaignon@orange.com>
|
| | |
|
| |
|
|
| |
Signed-off-by: Paul Chaignon <paul.chaignon@orange.com>
|
| |
|
|
|
|
|
|
|
| |
The BPF template currently only defines helper calls. BPF function calls
(bpf-to-bpf calls) are however supported in Linux since v4.16.
This patch defines bpf-to-bpf calls in the template.
Signed-off-by: Paul Chaignon <paul.chaignon@orange.com>
|
| |
|
|
|
| |
Move accessing syscalls array to check for USB syscalls after we validate
the call_num value (it can be e.g. instr_copyin/out).
|
| |
|
|
|
|
|
|
|
|
|
|
| |
A new BPF instruction that allows lookup-free map value accesses was added
in Linux v5.2, with commit d8eca5b ("bpf: implement lookup-free direct
value access for maps"). It enables direct access to map values without
having to call a BPF helper. It is currently used to implement global
variable support.
This commit adds support for that new instruction.
Signed-off-by: Paul Chaignon <paul.chaignon@orange.com>
|
| |
|
|
|
| |
The signature of sendfile() on FreeBSD is different from the one
used on Linux.
|
| |
|
|
| |
r350749 updated the constant from IPPROTO_SEP to IPPROTO_DCCP
to be consistent with the IANA registry.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This commit fixes a handle leak in syz_mmap. The bug was pointed out by
mdempsky during a code review.
The `syz_mmap` function creates a VMO and maps it to a VMAR in the address
specified by the `syz_mmap` parameters. Once a VMO is mapped to a vmar,
the handle to the vmo can be closed without problems.
The new code makes sure that `zx_handle_close(vmo_handle)` gets called before
the `syz_mmap` function returns.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
syz_mmap is a pseudo-syscall that can be used by syzkaller in fuzzing
programs, however, it is also used to setup the environment for
syz-executor. syz-executor already checks the return value[0] when it is
used for setting up the environment, so it doesn't make sense for the
function to crash (most probably, in a fuzzing program it will be called
with arguments that would make it fail).
The previous behavior was causing a bunch of "Lost connection to test
machine" syzkaller crashes which were meaningless. An example of a
program in which syz_mmap would crash would be any program in which the
handle to the root vmar is closed before calling syz_mmap.
[0]:
https://github.com/google/syzkaller/blob/a60cb4cd840ce786236a00480e8bb1025e0c5fef/executor/executor_fuchsia.h#L15
|
| |
|
|
| |
Also respond with lang ID when string #0 is requested.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
This forces the kernel to make a USB string request and select a lang ID
early during the enumaration stage.
|
| | |
|
| |
|
|
| |
Also rename cdc_ethernet to cdc_ecm.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Go support is not a priority for Fuchsia at the moment, so it's
preferable to use host fuzzing mode for Fuchsia like currently done
for Akaros.
This commit basically looks for all the places where there was special
logic for OS=="akaros" and extends the same logic for OS=="fuchsia".
|
| | |
|
| |
|
|
|
|
| |
bNumEndpoints is defined as len[endpoints]. This initially assumed that
endpoints is an array, which is not the case for descriptions for
particular USB classes. Improve it by defining a new template for interfaces
and passing in a value range for bNumEndpoints for these cases.
|
| | |
|
| |
|
|
| |
CDC NCM support is incomplete, as it requires support for describing multiples
interfaces per configuration.
|
| |
|
|
|
| |
They should either contain a lang id or a string.
Do some other minor fixes as well.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
syz_open_dev$char_usb opens char devices with major = USB_MAJOR.
Sanitize its values to make sure it doesn't open other char/block devices.
|
| | |
|
| |
|
| |
Also simplify timeout related code a bit.
|
| |
|
| |
Also put USB HID descriptions together.
|
| |
|
| |
Remove long items and better specify tags.
|
| |
|
|
|
|
|
|
|
| |
Update socket timeval, timestamp options and flags.
v2: separate SO_{TIMESTAMP, TIMESTAMPNS}_{OLD, NEW} as they only need
enable/disable option value.
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
|
| |
|
|
|
|
|
|
| |
Default value for ProcType is 0 (same for all PID's).
Usually 0 either does not make sense at all or make different PIDs collide
(since we use ProcType to separate value ranges for different PIDs).
So don't change ProcType to 0 unless the type is explicitly marked as opt
(in that case we will also generate 0 anyway).
|
